Solution/Action Plan - What departments have done to prevent or correct the problem?Key Points in IdentificationIdentified top 10 IT audit issues over the past 3 years

Issues and risk can change over time

Use of Risk Assessment and Control Evaluation (RACE Matrix) to document and communicate risks

Collaboration between Internal Audit and the IT professionals is key to addressing issues and implementing action plans#10 Patch management procedures are lackingLack of process to apply system patches and/or software updates

Patches/updates not applied in a timely manner

IT-12, “proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a timeframe commensurate with the level of risk (i.e., within 24 hours for high-risk, within 48 hours for medium-risk, and within 72 hours for low-risk).

Learning ObjectivesDiscuss the process of identifying audit issues

Learn the elements of an audit issue

Provide awareness of Top 10 IT Audit Issues and examples of each with policy/law references#9 Non-IT users with admin rightsNo documented reason why individual needs admin accessNo process in place to educate users with admin rightsLack of verification that patches are being applied correctly

IT-12, “Limit access to needed services to only authorized persons.”Principle of least privilege – user account only has rights to perform functions which are essential to that user’s work.

#9 Non-IT users with admin rightsRisksUsers without the necessary technical knowledgeDevices not adequately patched and protected

SolutionsUser agreement outlining responsibilitiesTraining and notification of vulnerabilities2nd account without admin rightsScheduled audit or review of devicesEliminated admin rights for all non-IT faculty and staff

#8 Admin accounts are used for day-to-day activities

Workstations/laptops users with admin access performing daily, routine functions with admin accountIT staff using admin account for day-to-day activitiesIT-12, “Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.”Principle of least privilege – user account only has rights to perform functions which are essential to that user’s work.

#8 Admin accounts are used for day-to-day activities

RisksIncreased risk or opportunity for system compromise

SolutionsCreated a 2nd local account for day-to-day activities

#7 Server room: Physical controls lacking

No access controlRoom not solely dedicated as a server roomWeak physical securityLacking proper environmental controlsDM-01-S, “If institutional data are stored on any component of the university information system, that system component must have defined a formal system administration function and have assigned to it a system administrator whose responsibilities include: physical site security.”

IT-12, “functional unit management/technicians must: (1) Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.”

#2 Scans for critical data are not occurring

RisksUnauthorized access to critical dataUnsecured critical data

SolutionsKnow the classification of institutional data and who has accessRun Identity Finder scans

#1 Vulnerability scans are not occurring on server(s)

Server scans are not scheduled with SiteProtector , Web Application Vulnerability Scanner, or any other tool